Blog

Technology governance: boards are being sued.

I was recently talking with a board colleague about risk and how agile current board processes are. The conversation turned to two landmark cases.

In 2014 two entire boards (Target US and Wyndham Worldwide Corp.) and some of their senior executives were sued for breach of fiduciary duty. Both were in relation to cybersecurity breaches.

Neither of us could understand why more than 80% of boards worldwide continue to lack the capability to meet their technology-related governance responsibilities.

My colleague commented, “It sounds harsh, but the fact is that if your board does not have the competency to critically evaluate board papers, proposals or management responses to questions, risk can rise dramatically. They lack basic capability to govern technology as a board."

“There’s a pretty vocal slice of the board population convinced that technology governance isn’t any different from other part of the business such as HR or marketing” I replied.

 “The difference is that these areas of the business differ considerably from technology, especially in the area of risk,” he said. “Technology is now integral to pretty much every part of modern business. That's across all industries, public and private sectors and all type and size of organisation”.

Technology governance is now integral to corporate governance

As technology has become integral to modern organisations, enterprise technology governance has become integral to corporate governance. And here's where the increasing risks lie and why we're starting to see board fiduciary responsibility challenged in relation to technology.

Boards continue to recruit people with the same competencies - mostly finance and legal + industry experience. That increases a key aspect of competency risk. The knock-on effect flows into areas such as security risk, infrastructure, competitive and reputational risks. Think Sony and how hackers shut it down.

Think about the growing number of once iconic brands that have gone out of business or lost significant market share because they simply didn't keep up with technology-driven change in their sector.

A recipe for disaster? 

Slow board process coupled with a lack of technology governance competency is a recipe for increased risk. This is where the continuing over-reliance on 'governance by exception' potentially adds even more risk.

Without careful risk analysis and planning, relying on current board processes such as board reports and committees may simply be too slow. Technology risk can strike with lightning speed.

What's needed are more agile governance processes to help boards cope with the speed of change. And it's not about getting a single tech-savvy person on board. Technology impacts all parts of the business, and all board roles.

Boards would not delegate responsibility for corporate finance to the CFO and ignore it at board level. So why do so many boards continue to ignore or delegate technology governance?

Let’s follow an example through, using ‘there’s really no difference’ logic, and consider how 'governance by exception' could be adding to technology risk using an airline example.

Why a step change is needed

For sure there are risks associated with the failure of HR, Marketing, Finance or Legal to perform. However, from an HR standpoint, there’s not really much impact if a flight attendant slops the coffee or a pilot is unable to fly because he’s ill, or even if one of the pilots falls ill while flying a passenger aircraft. 

But if any aspect of the computing systems go wrong, pretty much anywhere in the aviation value chain, there can be serious, even deadly consequences.

Drop the freight, reservation or passenger check-in system for a few hours and the impact ripples into millions of dollars in minutes. It’s felt within the airline and out into multiple areas of the community such as the tourism, business, fast-moving-consumables or export sectors.

The reality is that a technology foul-up in any high tech industry such as aviation, hospitals, or in areas of manufacturing and primary industries can take out a business, kill someone or cause a disastrous ripple effect. And potentially all in milliseconds.

As Steve Kaye commented on one of my earlier blog postings, ‘traditional approaches to risk start to fall apart where a risk which may emerge and be fully instantiated / materialised within the time it takes to draw a single breath. Risk mitigation and avoidance is probably more critical in the ICT domain than in any other aspect of business. And if an incident occurs, the solution is unlikely to be further risk management. The immediacy means that the incident response needed instantly bypasses the risk management phase and moves into full-blown disaster recovery.’

When you ponder Steve’s comments and realise that in 2015 most boards are still managing technology risk by exception, if at all, it's time for a change.

Catastrophic technology risk can strike with little or no warning

It’s the sometimes instant consequences including the social media impact (right or wrong) which differentiates IT/ICT risks.

Steve Kaye again: ‘take your technology governance seriously because if it really goes wrong it can be the equivalent of a nuke; no warning, total disaster and no second chances’. Think Sony as a recent example.

Is your board still governing technology only by exception? The next cyber nuke might just your organisation's name on it, especially if your board lacks technology governance competency.

On the flip side, those that take a digital leadership role and build board capability are reaping the rewards.

Talk to EGC about an interactive workshop about Agile Management and Governance practices to help you balance the need for speed with current board reporting practices.